Online Payments and Donations in WordPress

We work with a lot of non-profits and one of the things we are asked most often is how to set up online donations. Here are some of the questions we get asked, along with our completely biased opinions.

online payments using wordpress

Can I use my existing merchant account on my website?

Possibly, but we don’t recommend that. Your merchant card services provider can probably offer you an online solution, but there will be extra fees. And only go down this path if you like PCI Compliance. If you don’t know what PCI Compliance is, then trust us, you won’t like it. It’s easier to choose a solution like Stripe or PayPal which handles all PCI Compliance for you.


PayPal vs. Stripe?

Hands down, Stripe.


The big distinctions…

Both charge 30 cents + 2.9% per transaction (PayPal offers non-profits a 2.2% rate)

PayPal Standard: no monthly fee, but you cannot run transactions on your website. Your customers must jump out to PayPal to pay.

PayPal Pro: $30/month to be able to run transactions on your website. You need an SSL certificate.

Stripe: no monthly fee. Essentially the same as PayPal Pro but without the monthly fee. You need an SSL certificate.

Stripe and PayPal Pro are similar products, except PayPal Pro costs $30/month, where Stripe is free.


I don’t have an SSL certificate

SSL certificates cost $99/year and take a web designer about an hour to set up. Lately, most hosts will give you a free SSL certificate with your account. With an SSL certificate, you can process payments and donations directly on your website. Even if you don’t process transactions on your website, you still should have an SSL certificate. Here’s why.


But PayPal gives us a non-profit rate.

Yes, that’s very clever of them. You use their solution (which makes them money), and they save you 70 cents on a $100 donation. Most non-profits argue that PayPal is better because it’s cheaper. I disagree for a thousand reason. Yes, PayPal offers non-profits a 2.2% per transaction rate vs. 2.9% for regular businesses.

And charges you a monthly fee to run transactions on your site

In order to run donations on your website, you’ll have to upgrade to PayPal Pro, which is $30/month. Stripe has no monthly fee and offers the same solution.

And costs you donations if you don’t upgrade to their Pro solution

Don’t make your customers work to give you money. More donations equal more money. More on this below.

And costs you development time

You pay your web designer an hourly rate, right? Stripe is just faster and easier to work with.

And causes you frustration

Stripe’s dashboard is intuitive and easy to use. I can’t say the same about PayPal’s.

NOTE: since publishing this post, a client of ours emailed Stripe and asked if they offer a non-profit rate, and here was their response

Thanks for reaching out about this, and for your interest in Stripe!

I’m pleased to report that Stripe very proudly supports non-profit organizations, and am happy to explore these options with you. We’re currently testing how we can best support US non-profits, and we’d love to offer you our new beta pricing model:

– 2.2% + $.30 for non-American Express transactions
– 3.5% for all American Express transactions


But PayPal is easier to set up

PayPal gives you the option to paste a “Buy Now” button on any pages. That’s easy, but it’s not pretty and it doesn’t make me want to click it.


Isn’t Stripe just for developers?

No. My teenage daughter is a photographer and manages all her online website payments through Stripe. She can build forms, connect them to Stripe, issue refunds, set up recurring payments, etc. Yes, she’s young and grew up with technology, but she doesn’t listen to a word I say, and she’s managed to work out Stripe, with very little help from me. Plus, she hates math and programming of any kind and hasn’t needed any of those skills to work it out.


How do I connect Stripe to my website?

The GravityForms plugin is your friend. We have a developers license so our clients use it for free. But, even if you had to pay $59/year for it, it’s completely worth it.  This is what we use on our website to take online payments.

Stay tuned for our next blog post, along with a video tutorial, on how to set up GravityForms & Stripe.


Why does it matter if someone has to leave my site to donate?

Do not make your donors or customers leave your site to give you money… ever!

When you ask someone to click out to pay, there is a chance they won’t complete the transaction. They might get distracted. They were about to give you money, but now they just clicked out to PayPal’s payment portal, and can’t remember if they even have a PayPal account, which they don’t need, but aren’t sure about that either. And, they’re bored with this already, and no longer interested in figuring this out, and they’re also no longer on your website. They were about to donate $100, and since you have a PayPal non-profit rate, that would’ve cost you 30 cents + 2.2% (or $2.20). That same donation would’ve cost you 30 cents + 2.9% ($2.90) with Stripe. In trying to save 70 cents, you just lost your donor.

You work really hard to get people to your site, so keep them there.


We work with Blackbaud and want to use their donation form

I get that, and in that case, you probably should use their donation form instead. It’s not elegant, and it’s not fun to use, and Blackbaud charges non-profits an un-Godly amount of money for their, in my opinion, not very special solution. If you haven’t signed up with Blackbaud yet, please don’t. I can’t see how it’s worth that much money.


Is there any scenario in which you would recommend PayPal?

Yes. If you are already heavily invested in your PayPal account, are already paying $30/month for PayPal Pro, and you do a lot of volume, it’s a perfectly fine solution. It integrates seamlessly with GravityForms and is a much more robust solution than their free account.


In Conclusion

In my completely biased opinion, Stripe and GravityForms offer the cheapest, easiest, most flexible, and elegant solution you could possibly use.

Google Sends Strong Message About HTTPS in Upcoming Google Chrome Release

At the end of the month, Google will release a new version of the Chrome web browser. In this release there will be a critical change in the way it displays sites that are not using HTTPS, or SSL. We were notified of this through WordFence, the security plugin we use on all our websites. There’s a good article about this on their blog.

What is HTTPS?

The ‘S’ at the end of HTTPS stands for ‘Secure’, meaning that communications between your browser and the website are encrypted. Browsers will display a lock icon in the address bar to show that HTTPS is in effect.

What does this mean for your site visitors?

If you are not using HTTPS on your website, this new release is going to be confusing for your site visitors on Chrome. Your website will have a message in the url bar that says “Not Secure” on pages that collect credit cards or login information.

Do you need to upgrade to HTTPS?

If your site doesn’t take credit card payments, and doesn’t give your customers the ability to login, this won’t affect you right away. However, you should still consider upgrading to HTTPS, because it is quickly becoming the new standard.

Google has been moving this direction since 2014 when they started giving a small rankings boost to sites with HTTPS. As of now, this is only a minor boost, but experts predict Google will strengthen this signal to encourage all sites to go HTTPS. The most recent Chrome update is a strong indicator of this.

If your site is not currently using HTTPS, most hosts offer SSL certificates. It’s generally an extra $100/year to add an SSL certificate to your hosting package.

This update needs to be coordinated with your web designer, because there are number of changes that need to be made to your WordPress site. Google has a good article about steps you need to take to implement SSL on your site.

Prevent Brute Force Attacks on Your Website

We’ve recently seen quite a few failed brute force attacks on clients’ websites. What that means is that a computer somewhere (seems like mostly Russia) will try to login repeatedly using different passwords until it gets in or is denied by security software.

You should check your site to see if you have a security plugin installed to protect against this. In the site admin section look under Plugins > Installed Plugins. If you see the plugin Bullet Proof Security listed then you should be fine.

If you don’t have it installed contact us and we can do it for you, or if you’d rather give it a try yourself you can get it here https://wordpress.org/plugins/bulletproof-security/ (it’s free).

Update Gravity Forms to Keep Your Site Secure

Recently we’ve been asked to assist with a few sites that have been hacked. If you use the Gravity Forms plugin to handle your site’s forms (like a contact form) please make sure to update to the most current version. It turns out that there was a vulnerability with older versions of the plugin that gave hackers a way into the site.

To update Gravity Forms (or all of your plugins) click Plugins in the left hand navigation in the site admin area. Plugins in need of an update will be highlighted in orange (unless your version of WordPress is also in need of an update). From there all you need to do is click the Update link.

While you’re at it, it’s probably a good idea to update WordPress too.

You Can Never Have Too Many Backups!

As the title says… you can never have to many backups. Most of the WordPress sites we do are hosted with Bluehost and they do routine backups of their servers, but they also don’t make any guarantees:

“For its own operational efficiencies and purposes, Bluehost from time to time backs up data on its servers, but is under no obligation or duty to Subscriber to do so under these Terms. IT IS SOLELY SUBSCRIBER’S DUTY AND RESPONSIBILITY TO BACKUP SUBSCRIBER’S FILES AND DATA ON BLUEHOST SERVERS, AND under no circumstance will Bluehost be liable to anyone…”

Ultimately, as a website owner, you should know how to backup your own website. So if you want to be sure to have a backup when you need one you should log into your site’s control panel and download a backup. The instructions that follow are for Bluehost but they should be very similar for most other hosts.

Go to bluehost.com click on the blue “Control Panel Login” button in the top right corner. After entering your username and password, or domain name and password, you’ll be in the Control Panel.

About half-way down under the heading “Files” is an icon and a link to “Site Backup and Restore”.

Now you’ll see a number of backup choices, some of which are “Pro Only”, for an annual fee you gain a little more flexibility, but if you just want to backup everything it’s not necessary. Click on “Full cPanel Backup”

Next you’ll see a couple different versions of your site, daily, weekly or monthly. Most likely you’ll want the most recent, so click Daily.

Next you’ll be asked to select a “Archive Type”, .tar or .zip, either will work. Click “Start Archiving”, after it’s done you’ll get a link to download the file.

Depending on the size of your site and your connection speed downloading the file could take a little while.

That’s it, now you just have to remember to do it, regularly.

How to Update Your Site to the Most Current Version of WordPress

We recommend keeping your version of WordPress current, mainly for the security fixes.

There’s a good article on the WordPress site with instructions for Updating WordPress.

There are a few main points in the article that need a little more explanation.

Check Requirements

Most of our wordpress sites are hosted with Bluehost and currently they meet the system requirements for the most current version of Worpdress, and I would imagine they will always meet the system requirements. If you’re not sure check with your web host.

Make a Backup

In the Control Panel of your web host download a backup of both your database and your website files. In Bluehost’s control panel it’s under Files > Site Backup & Restore you’ll want to download “Website Files” and “MySQL Databases (All)”, or alternatively you could just download the “Full cPanel Backup”, although it might take a little while longer.

Disable Plugins

In the wordpress dashboard go to plugins. Select all and disable. You might make note of which are currently disabled already so you don’t inadvertently enable them later.

Ready to Update

After clicking the update button in the wordpress dashboard you’ll see information for upgrading WordPress and down below information on upgrading your plugins. Update the plugins first, and then wordpress. You’ll want to do the automatic update. If you are unable to continue because wordpress is requiring ftp connection information, you can often use your control panel user and password but it would be more secure to first create a new ftp user and password in your host’s control panel and to then use that connection information to upgrade wordpress. Once wordpress is updated go back into plugins and activate those plugins which were previously active.

If You’re Feeling Lucky

You can always just click the “Update” button, and ignore these instructions.  We are not recommending this, however we have clients that do it all the time.

Inserting images in an rss to email newsletter

An easy way to publish an email newsletter is to use WordPress and Mailchimp. In a nutshell Mailchimp can pull the content from your blog post and send it via email as an e-newsletter (you can also post straight to facebook, but that will be the subject of a future post). Once you have a template setup, one of things you need to be careful about is how you insert an image into your blog post.

The video below gives a brief explanation on the best way to insert images so that they look good in both your blog and your newsletter.